Canadian Institute of Chartered Accountants (CICA)

"As more organizations become aware that the AICPA/CICA Generally Accepted Privacy Principles exists we are confident that it will become a key tool for organizations to use to build, evaluate and validate their privacy regimes."

Bryan Walker Canadian Institute of Chartered Accountants (CICA)

Generally Accepted Privacy Principles

Canadian Institute of Chartered Accountants In early 2006, the CICA/AICPA announced the Generally Accepted Privacy Principles (GAPP). Nymity has a long history working with the CICA and has extensive GAPP expertise as Nymity used the GAPP predecessor, the "Privacy Framework", in the creation of many of Nymity's solutions.

Nymity Firsts

Nymity offers the:

first training workshop specifically for GAPP - Visit Understanding GAPP;
first privacy officer training program that integrates GAPP into each workshop - Visit Privacy Training;
first privacy policy based on GAPP - Visit Nymity's privacy policy;
first privacy risk mitigation solution with a GAPP structure - Visit Canadian Notice Index; and
first to offer GAPP based templates and examples - PrivaWorks subscribers visit the PrivaWorks PIA/Audit Kit.

The following are the ten Generally Accepted Privacy Principles:

Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.

Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.

Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

Collection. The entity collects personal information only for the purposes identified in the notice.

Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.

Access. The entity provides individuals with access to their personal information for review and update.

Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.

Security for Privacy. The entity protects personal information against unauthorized access (both physical and logical).

Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.

Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.

For more information contact Nymity at 416 214 7838 or toll-free at 1 866 3 NYMITY or by email at info@nymity.com .

September 2007 Interview with Nicholas Cheung, Principal, Assurance Services Development